Pokemon Go Security & Privacy Concerns

Pokemon Go is the app that has taken the world by storm in an unprecedented fashion. It has quickly skyrocketed to the top downloads list and has broken a variety of mobile app records. It currently competes with and sometimes surpasses such giants as Twitter and Facebook in terms of the amount of time spent and the amount of money earned. Basically, everyone is playing Pokemon Go or at least knows someone who is.

Popularity and Security

While this popularity is great news for the developers, and Pokemon Go is indeed a very unique and addictive game, popularity tends to be bad from a security standpoint. At the most basic level, this popularity invites hacking. Mobile apps are also one of the most hacked and most vulnerable programs available.

The nature of Pokemon Go also encourages players to congregate in certain areas like city parks or community buildings. These places often have Pokemon gyms were battles and the more exciting elements of the game take place. They also tend to have an above average concentration of Pokestops, places where players can earn experience and items every five minutes by visiting them. A mass of players in a small area all playing on the same interconnected app represents a haven for short range hackers who could be trying to exploit the game to access a person’s device and personal information. This risk greatly increases if the players are connected using the same WiFi hotspot or local network.

Permissions and Access

One alarming concern with Pokemon Go at its release was the unprecedented level of account access the app requires. The majority of apps request only the minimum level of access required for the app to function. While this sometimes looks ominous, for example the ability to access contact information, billing information or make changes to the hard drive, these functions are generally necessary for all apps. The act of installing the app is a change to the hard drive, so the program wouldn’t be usable without that permission. Access to in-app purchases wouldn’t be possible without access to billing information, and the list goes on.

Pokemon Go, however, requested full account access through Google. This was very alarming to security experts because full account access allows the program to do basically everything the user would be able to do with their Google account. This includes access personal information and files such as those stored on Google Drive. It would even include being able to make changes and delete those files. Obviously, this was far in excess of what the app needed to function.

The rumors and backlash created by this were quick and harsh and forced Pokemon Go developer Niantic to quickly take action. They put out a statement explaining that full account access was not intended or needed and that no abnormal information had been collected or accessed by the company. A patch was released that fixed these permissions, and Google made their own changes to restrict access back to a reasonable level. For all intents and purposes, the problem was resolved for current and future players.

Even so, the incident begs some important questions. One important consideration is how easy it was for so many people to give away this security and protection without even thinking about the possible consequences. In this particular case, Niantic seems to be a reputable company that truly did not access information, and the situation was merely an oversight. What might happen if hundreds of millions of people were to download such an app and unwittingly provide their information to a less reputable organization? The whole fiasco shows every hacker and scammer in the world just how easy it would be to dupe the masses.

The precedent for a massive identity theft breach has been created, and that precedent cannot ever be taken back. The best hope now is that the incident has alerted more people to the fact that they need to be careful and considerate about app permissions and what they give away with the simple click of an accept button.

Tracking, GPS Data and Cameras

Pokemon Go is also a relatively new phenomenon when it comes to what the apps does with a device. It provides continuous GPS tracking and also access the device’s camera. This leaves the potential for exploit by unsavory characters, the government and various companies who can collect a massive amount of very precise location data for many millions of people. This is usually used in a benign and even helpful manner to assist companies with businesses plans and the placement of products. There is still always the potential that a hacker or criminal could use the same system to track or stalk individuals without their knowledge or consent and collect a great deal of information about their daily personal lives.

Third Party Permissions

Last on the list of black marks against Niantic is their extremely liberal information sharing policy. Niantic’s Terms of Use specify that they reserve the right to share personal information about customers with third party groups who may not be as considerate about customer rights and privacy. In simple terms, this gives Niantic the legal permission to give out personal information to anyone they want to, and those people may use that information however they want to. In reality, this is not usually a concern. The company puts in these clauses so their hands are not tied from a business and advertising perspective, but it still creates the possibility for major identity theft issues.

How to Protect Yourself

Taking extra steps to protect your online identity and information has become more important than ever before. The Pokemon Go phenomenon has brought this problem into the spotlight, which is good news because it means more people and companies may take action to prevent security breaches.

One of the best ways to get protection is to use a VPN service. A VPN encrypts all of the data sent out on the internet. It is a huge barrier against hackers and unwanted intrusions. Commonly, it has been the domain of businesses and schools to allow students and employees to access secure databases and servers on the go. With electronic security threats higher than ever before, it is worthwhile for individuals to make use of this service for protection.

The takeaway lesson from Pokemon Go is that consumers need to be more careful and more mindful about how they conduct themselves online, what they download and how liberally they give access to programs. It is more likely than ever that this situation will be repeated and that the need to be prepared and vigilant will remain.

I wonder how many people who are playing Pokemon Go are actually aware of the many threats this app has in the backend. Ever since this game got popular, most of us have forgotten that it is actually just a game. It is fun and addictive but our privacy should be more important. A VPN service should be a must for playing this and other similar games but I don’t think more than 5% of users have subscribed to such a service. The internet is a beautiful place but it’s also quite dangerous.

Unfortunately, the dangers of this game are not talked about on TV or in newspapers so many haven’t the slightest idea what could happen. I know it’s very easy to just act like a regular Pokemon Go player and get close to a big group of people and hack someone’s device. It’s not very difficult to do and it’s quite hard to find the hacker in a large group even if someone was looking for him/her. There should be more information on this subject, in places where a lot of people can see it.

Can we be sure that Niantic didn’t access any sensitive information? How? And what if just one employee of their decided to make some money and just gathered personal data and sold it online? How would the general public know about this?

Maybe Niantic is indeed a trustworthy company, but we can’t be sure of that at all. Or it could seem this way now, just to find out in a few months that the data has actually been collected and maybe even sold. Without anyone watching over them we can’t know for sure.

Detected IP address: 54.234.227.202 | Location: Ashburn, United States. If not using a VPN, your ISP, the CIA and the NSA can see exactly what you're doing on any website, so for your protection, we suggest you to use NordVPN to legally hide all your activity risk-free on every website.